Omid's TechBlog!

Megaupload, up again? no

2012-01-24T16:00:00.000+03:30

GFI: You’re probably aware that Megaupload has wandered into what can only be described as a bit of a pickle, assuming said pickle is roughly the size of a Vogon Constructor Fleet.

Given that lots of people probably want to take a peek at the FBI Anti-Warning currently pasted across the front of Megaupload.com (or maybe even just see if the site is back online), it’s a fair bet that Ye Olde Typo Fairy will be called into action and some of them will end up going to Megaupload(dot)cm.

You can see what they did there.

On the basis that Wikipedia hasn’t gone dark for a day or covered itself in pictures of Jimmy Wales, we can see that the .cm TLD is intended for domains connected with Cameroon. Typosquatting seems to be a bit of a thing:

In a report published in December 2009 by McAfee, “Mapping the Mal Web – The world’s riskiest domain”, .cm was reportedly the riskiest domain in the world, with 36.7% of the sites posing a security risk to PCs. [5] It is widely assumed that malicious domain programmers rely on inadvertent misspellings of well-trafficked websites ending in “.com” to lure unsuspecting users to their domains.

Registered back in 2009, Megaupload(dot)cm takes you a site located at surveytakelive(dot)com, which tells us via the method of popup box that there are prizes up for grabs and you’ll have to fill in some personal information.

Next up, you have to pick one of the three options presented. I went with the Love Thermometer, mainly because it’s called the Love Thermometer and also has a graphic of a baseball bat.

Hitting the Love Thermometer button takes us to a promo located at enterfactory(dot)com, which turns out to be a mobile phone promotion costing various amounts of cash per day until the user unsubscribes.

The adverts served are region specific – the above are what you’ll see if in the Philippines, whereas visiting from the US will result in iPad, Walmart and Visa giftcard offers instead.

Be mindful of what you’re typing into the URL bar, and let me know if you discover what the Love Thermometer actually does…

Facebook Scam: Free Amazon.com gift card promotion

2012-01-24T15:30:00.000+03:30

SophosLabs: Gift card scams are a common sight on Facebook, and this weekend it has been the turn of Amazon.com to be the brand used by cybercriminals as a way of making them cash.

One Free Amazon.com Gift Card (limited time only)
[LINK]
Amazon is currently giving away gift cards to all facebook users. Click here to get one!

When you see one of your friends share a link like this with you, the truth is that they have been duped into a scam. Be careful not to make the same mistake as them, or you'll just be helping put cash into the pockets of the bad guys.

If you do click on the link you are taken to a webpage on a third-party website which looks something like this:

Notice how it encourages you to re-share the link, and add a comment, before it will allow you to access the special deal (in this case, an allegedly free Amazon.com gift card).

If you follow the page's instructions you will be taken to another webpage, in this the example below it encourages you to sign up for a premium rate mobile phone service which could end up hurting you in the pocket.

In addition, the scammers earn affiliate cash by driving traffic to sites like this.

You have to ask yourself at this point - are you partly to blame?

I mean, yes - in an ideal world - Facebook would have blocked the link from spreading and prevented you from clicking on it. But why did you seriously believe that Amazon.com was going to give you (and presumably the other 800 million people on Facebook) a free gift card?

It's even more implausible when you consider that the image used in the Amazon.com gift card scam messages is for a jaw-dropping $500.

If you're one of the many people who fell for this or similar scams, please check your Facebook page to ensure that you are not spreading any messages to your online friends and ensure that you have revoked any Facebook applications, events and "like"d pages that you are uncomfortable with.

If you use Facebook and want to get an early warning about the latest attacks, you should join the Omid's TechBlog Facebook page.

Facebook Scam: See who views your profile!

2012-01-24T14:07:00.000+03:30

Earlier today we have seen a new Facebook clickjacking scam which spreads quite fast.

I KNOW WHEN YOU LOOK AT MY PROFILE USING THIS: http://bit.ly/<removed>
NEW! See who views your profile!
www.<removed>.com
Do you want to know who is looking at your photos right now? Find out who looks at your profile the most and what they look at!

or other variant even more provocative:

CLICK HERE TO SEE WHO IS STALKING YOU: http://bit.ly<removed>
NEW! See who views your profile!
www.<removed>.com
Do you want to know who is looking at your photos right now? Find out who looks at your profile the most and what they look at!

Continue reading at Avira's TechBlog: http://techblog.avira.com/2012/01/23/new-facebook-clickjacking-scam-which-promises-to-show-you-who-has-seen-your-profile/en/

Best action you can take is avoid clicking on the link and also report the post by hover the mouse over it and click on "x" that you see top right of the post says "Report/Mark Spam"

Don't forget There are NO way to see who views your profile.

LA Time: Dropbox inventor determined to build the next Apple or Google

2012-01-17T13:13:00.000+03:30

Drew Houston's wildly popular service allows people to access the latest version of all their digital stuff on any device no matter where they are. Every day 325 million files are saved on Dropbox.

Drew Houston, 28, chief executive and co-founder of Dropbox, last fall pocketed $250 million from seven of Silicon Valley's top venture capital firms. That eye-popping sum pegged the value of his company at $4 billion and his own net worth — at least on paper — at an estimated $600 million. (Matt Staver, Bloomberg / July 6, 2011)

Read the full store here in LA Times: http://www.latimes.com/business/la-fi-dropbox-20120115,0,6541893.story

Hotmail phishing: Don't send us the wrong password or we'll suspend your account!

2012-01-14T13:47:00.000+03:30

SophosLabs: Have you been told to verify your Hotmail account? Did you receive a message saying that Hotmail's email servers were congested, and so they were removing all unused accounts?

If so, I hope you responded to the email with a roll of the eyes and a quick stab of the delete button. Because if you didn't, you might have been at risk of having your login credentials stolen.

Thanks to the reader, who forwarded us the following phishing email that he and others received, posing as communication from Hotmail:

Part of the email reads:

We are upgrading our database to serve you better. Due to the congestion in our E-mail servers there would be removal of all unused Hotmail Account. You will have to confirm if your E-mail account is still active by filling out your information below after clicking the reply button

The email then requests that you reply with your Hotmail username, password, date of birth and country. Of course, doing so puts vital information right into the hands of the cybercriminals.

It looks like the bad guys have had some problems in the past though, with victims handing over incorrect information (how typical!):

Ensure every detail requested above is provided correctly upon receipt of this notification to enable the upgrade. Incomplete details and wrong passwords forwarded will result in suspension or closure of your account for security reasons.

The fact is, of course, that the email isn't from Hotmail, and they would never ask you for your password. Although a simple phishing scam like this can be obvious to those of us who work in the field of computer security, there are plenty of less-savvy people out there who might be fooled into responding - and hand over the keys to their account.

Pink Facebook? Red or black Facebook?

2012-01-11T22:33:00.001+03:30

Pink Facebook? Red or black Facebook?

No, it's a scam you want to avoid. Share the knowledge with your friends!

Credit to Norman Security for sharing :-)

Chrome 17 enters beta, improves speed and security

2012-01-08T22:10:00.001+03:30

H-Security: Version 17 of Chrome has been released into the WebKit-based browser's Beta channel. Its developers say that the new Chrome beta, version 17.0.963.26, is focused on improving two of the browser's core principles: speed and security.

To make Chrome "go even faster", some web pages will start loading in the background before a user has even finished typing a URL into the Omnibox address and search bar. To reduce the time between a user pressing enter and the page being fully loaded, Chrome will pre-render some pages if the URL auto-completes to a site a user is likely to visit. According to Google Software Engineer Dominic Hamon, this will, in some cases, cause pages to appear "instantly".

With version 17, Chrome's Safe Browsing technology has been extended to protect against malicious downloads by analysing executable files, including Windows .exe and .msi files. So, if a user visits a web site and is tricked into downloading, for example, a fake anti-virus product, Chrome will issue a warning if the file appears to be malicious and will advise the user to discard it. Further details about Chrome 17.0.963.26, which is available to download from dev.chromium.org, can be found in a post on the Google Chrome Blog.

The Chrome Team at Google has also updated the browser's Stable channel to version 16.0.912.75, closing three high risk security holes. These include a use-after-free in animation frames, a heap-buffer-overflow in the libxml software library, and a stack-buffer-overflow in glyph handling.

As part of its Chromium Security Rewards programme, Google paid security researchers a total of $2,000 for discovering and reporting the holes. As usual, further details of the vulnerabilities are being withheld until "a majority of users are up-to-date with the fix". Chrome 16.0.912.75 is available to download from google.com/chrome; alternatively, users who currently have Chrome installed can use the built-in update function.

Internet Explorer to upgrade automatically, unless you say no

2011-12-17T22:36:00.000+03:30

SophosLabs: Microsoft's Ryan Gavin announced a new strategy to keep the web safe... Keep your Internet Explorer up to date.

It is great news for Windows users who don't appreciate the importance of staying up to date.

Microsoft has been struggling with browser stragglers for years. They even ran their own campaign comparing IE 6 to spoiled milk including shameful infopr0n.

Old versions of IE leave a considerable number of users vulnerable to old exploits, or in their parlance easy targets.

If Microsoft updates everyone's browser how will companies like Google have their "Aurora" moments?

While bringing everyone up to Internet Explorer 9 is a great initiative, and doing so automatically will help things along, there are still some big issues ahead for Microsoft.

Their new policy seems to rest somewhere between Google Chrome's "You don't know it but you just upgraded major versions" and Mozilla Firefox's "You know that our weekly major revision is available, would you like it now? Would ya? Please?"

This could be a big problem for some enterprises that followed Microsoft's advice 10 years ago and adopted a fully-integrated, Active-X, .aspx, optimized for Internet Explorer 6 (or 7!) internal web application.

Most organizations that use Internet Explorer are stuck on older versions because of IE-only proprietary code, and the fact that you can only have one version of Internet Explorer installed at the same time.

It only takes one application. Which is why Microsoft introduced the Internet Explorer 8 and 9 upgrade blocker. This allows you to stay as stale as Internet Explorer 7 if you wish.

Australians and Brazil will be the first to see the automatic upgrades in action, and users who have already said no to IE 8 or 9 will remain at their current version.

Good news for web developers, good news for security and most of all a demonstration of why open standards are such a good idea.

We could all be running Chrome 36 if it wasn't for that darned Active-X control for Accounting...

Adobe closes Acrobat and Reader security holes

2011-12-17T22:09:00.002+03:30

The H-Online: The first patches for the zero-day flaw in Adobe's Acrobat and Reader applications, which the company confirmed was being exploited in the wild, have been released. The initial problem was caused by a memory corruption when processing Universal 3D (U3D) files, which could allow attackers to potentially take control of an affected system. The patches released also address a newly revealed critical flaw (CVE-2011-4369) which can cause memory corruption when processing Product Representation Compact (PRC) 3D files.

Adobe has now released updates for Adobe Reader 9.x for Windows and Acrobat 9.x for Windows. The updates can be installed by selecting Help ➤Check for Updates in either application. Manual downloads for Reader 9.4.7 and Acrobat 9.4.7 are also available. Adobe is not releasing updates for Reader X or Acrobat X at this time because it says the defensive technologies added to those products stops any exploitation of the flaws. It will be releasing fixed versions of those applications as part of the next quarterly security update on 10 January 2012, along with updates for the Unix and Mac OS X versions.

Adobe suggests that users of Reader and Acrobat X should verify the defensive mechanisms are enabled. In Acrobat X a user should go to Edit ➤ Preferences➤ Security (Enhanced) and make sure that "Enable Enhanced Security" is checked along with either "Files from potentially unsafe locations" or "All files". Adobe Reader X users should go to Edit ➤ Preferences ➤ General and ensure that "Enable Protected Mode at startup" is checked.

Visa looks into Eastern European security breach

2011-12-17T21:41:00.000+03:30

SophosLabs: Visa is investigating a potential security breach that may have compromised payment cards of Eastern Europeans.

Although Visa hasn't disclosed which countries were hit, the Romanian state-owned CEC Bank has blocked and reissued 17,000 cards on suspicion that they had been compromised.

CEC Bank said in a statement that "a number" of cards issued by banks both in Romania and abroad might have been compromised via an international database.

Here's an excerpt from the statement, translated into English from Romanian by v3.co.uk:

The bank has been informed that a number of cards issued by banks in Romania and abroad have been potentially compromised through an international database. CEC Bank has decided to block the cards and reissue a new card and PIN, at no cost, for a number of cards in its portfolio

This attack did not target CEC Bank's cards alone and was not due to any bank vulnerability. Our clients' money is safe.

Visa pinned the problem on a European payment processor and issued this statement:

Visa Europe has been informed of a potential data security breach at a European processor and an investigation is underway. We are working closely with our member banks to ensure cardholders are protected.

In his report on this incident, v3's Phil Muncaster pointed to a warning earlier this month from Trend Micro regarding a basic design flaw in some implementations of the 3D Secure protocol - aka "Verified by Visa" and "MasterCard SecureCode" - that could allow crooks to conduct ID fraud on some Visa cards.

The potential security hole in 3DS is a result in a weakness in the password reset process of some system versions, Trend Micro's Rik Ferguson explained the flaw on his CounterMeasures blog:

If you are making a purchase through a merchant that is subscribed to the program, you will be redirected, during the payment phase, to a 3DS verification page. On this page you confirm the details of the transaction, enter your password and hey presto, the transaction is complete. So far so good, the merchant never sees my password, no transaction with that merchant can be completed without it and I’m protected, but...

He then goes on to describe the password reset link, finding that three of four pieces of information used to verify identity - cardholder name, expiration date and signature panel code - are all contained in the card itself, either embossed or printed and contained in the magnetic stripe data.

The fourth piece of information, cardholder date of birth, would be drop-dead easy to track down, he says:

Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.

The Eastern Europe breach and the 3DS flaw are spelling one headache-y month for Visa so far. Yikes, now all the company needs is for the EU to contemplate carving away at its profits with big fines for privacy breaches or something like that.

But wait, that's exactly what the EU is mulling!

The way the Financial Times reads it, the proposed rule, slated to be introduced in January, will impact social media most sharply, serving as a significant tool to boost the EU's powers when it comes to combating data protection breaches.

But it will be interesting to see what happens (if in fact the rule doesn't get watered down to pointlessness, that is) in cases such as credit card payment breaches like the one Visa is now investigating, if it turns out that Visa or its payment processor was treating customer data with anything less than kid gloves.

Come join my forum

2011-12-09T15:53:00.001+03:30

Hi Folks!

I would like to invite you to join my forum, its a small forum for now but by the time it will get better, a link to my forum is available in in my TechBlog, LifeBlog or in my site, feel free to join and express yourself in whatever you like, feel free to post whatever you like except advertisement, Thanks! :-)

forum.omidfarhang.com

Thank you for joining in advance
-Omid

Also posted in Omid's LifeBlog

Keep your Facebook friends close and your antivirus closer

2011-11-18T19:53:00.001+03:30

Microsoft Malware Protection Center: Facebook malware attacks are not new. Scams spreading via status updates have been around for a long time, but in recent weeks one threat has been getting creative in terms of social engineering. Backdoor:Win32/Caphaw.A can intercept URL requests in both Firefox and Internet Explorer and it has been observed to post very personable updates on friends' walls in Facebook, gaining access if the user is logged in.

The message links to a video posted on a Youtube-like website, which suggests that the user update the browser with a bogus ActiveX object. The malware's authors also went one step further in making sure the video landing page looks as legitimate as possible:

This download is actually Backdoor:Win32/Caphaw.A, a sophisticated firewall-bypassing backdoor armed with almost everything. It installs an FTP server, a proxy server, and a keylogger on the computer. It also has built-in remote desktop functionality based on the open source VNC project. We received a report that a user found this in his computer and also discovered that money had been transferred from his bank account by an unknown party. The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.

The backdoor "calls home" to domains such as commonworld[removed].cc or web[removed]es.cc to get the data that it posts on the friends' Facebook walls. Its main module, in the meantime, is hosted on [removed]youtube.com.

The good thing to do when spotting such fishy wall posts is to warn your friends whose accounts have been compromised. You can mark the message as spam to help prevent others from downloading the backdoor; Facebook is quite diligent about filtering these posts once they have been reported.

The presence of this threat on your computer threatens your whole online identity, so we recommend that you change the passwords to all of your sensitive accounts – email, online shopping, and online banking, for example. And while you're at it, remind your affected friends to change their Facebook passwords, too.

Finally, scan your machine with an up-to-date antivirus solution to remove this malware from your computer.
Here are some SHA1s of files detected by our products as Backdoor:Win32/Caphaw.A:

c10ad13419ea44ba85cd8e83e2cd7ac8313e91de
54d9f40156cc4a2561252f8ad30b4afdcc5e93b4
ebbd8790eab8a9822a80c2afaa575a4b2c2f3b55

Stop Censorship: Help us stop the Internet Blacklist Legislation

2011-11-17T17:30:00.001+03:30

Protect the Internet

Help us stop the Internet Blacklist Legislation

Mozilla: On November 16^th, Congress holds hearings on the first American Internet censorship system. This bill can pass. If it does, the Internet and free speech will never be the same.
Join us to stop this bill.

Why?
A few infringing links are enough to justify censoring an entire site, blocking good content along with the bad.
How?
The US will be able to block a site’s web traffic, ad traffic and search traffic using the same website censorship methods used by China, Iran and Syria.
Who's at risk?
Your favorite websites both inside and outside the US could be blocked based on an infringement claim.
Could this pass?
Yes. The Stop Online Piracy Act and the PROTECT IP Act have widespread support in Congress and are expected to pass.

http://americancensorship.org/

Persistent XSS Vulnerability in White House Website

2011-11-04T23:51:00.000+03:30

The Hacker News: Alexander Fuchs, A German Security Researcher Discover Persistent XSS Vulnerability in Official website of White House.

"The petition system is vulnerable. Every Petition i start or join will execute my code. I could join all petitions and my code will be executed on all users who visit the petition system." He said.
Read full story in German: http://www.1337core.de/2011/die-whitehouse-gov-lol-petition/

The XSS Demo is here: https://wwws.whitehouse.gov/petitions/!/petition/security/WxgwM7DS
Advisory: http://vulnerability-lab.com/get_content.php?id=308
What is XSS? http://en.wikipedia.org/wiki/Cross-site_scripting

Forward button to become optional in Firefox

2011-11-04T14:48:00.000+03:30

mozillalinks.org: Do you need the forward button? Most likely yes, but it is rarely used compared to the back button, which is the single most used widget in any browser user interface. So it doesn’t make sense to keep it present at all times, stealing focus from its helpful neighbor.

To address this, current Firefox nightlies feature the forward button as optional. If there is nowhere to go further, the button is hidden instead of just disabled as shown in the screenshot below.

Since it is only in nightlies at this time, Firefox 10 (expected for early 2012) is the earliest we will see this change in a final Firefox release.

If you want this behavior and remove some clutter today, add these lines to your userChrome.css file located in your profile folder*:

/* Conditionally hide the Forward button */
#forward-button[disabled="true"] {  display: none; }

Note that the back button won’t integrate with the location bar as in the nightlies.

* To open your profile folder, go to about:support and push the Open Containing Folder button. If userChrome.css is not present, just copy or rename userChrome-example.css and add the lines below.

Internet Explorer’s Share of Web Traffic Drops Below 50%

2011-11-03T15:45:00.000+03:30

Mashable: Internet Explorer can no longer claim more than half of the web’s traffic, as of October, ending more than a decade of the default Microsoft browser’s reign.

Safari’s hold on 62.17% of mobile traffic has reduced IE’s overall share of web browsing, despite still claiming 52.63% of desktop traffic, according to Netmarketshare.com.

The Microsoft browser’s diminishing share (49.6%) reflects its near absence from the realms of mobile and tablet, which now make up 6% of web traffic. However, chances are, you gave up on IE long enough ago that this milestone makes you more curious as to who actually still uses the browser.

As of October, Firefox is the second most popular web browser, accounting for 21.20% of traffic, followed by Google Chrome and Safari, which account for 16.60% and 8.72% respectively.

Chrome, which recently celebrated its third birthday, experienced the most expansion in October, increasing its share of the desktop market 1.42%.

Safari, the default browser in Apple’s iPhone and iPad, continues to increase its dominance over the mobile web, gaining 6.58% of the market. Safari’s share is increasing faster than the iPhone’s, probably due to how much mobile traffic is now driven by iPads.

Google Releases Official Google+ Notification Extension For Chrome

2011-11-03T15:39:00.000+03:30

gHacks.net: If you are a heavy user of Google’s Google+ social networking product you are probably keeping the site running in a tab all the time to never miss new messages. But even if you do, you need to switch back to the tab regularly to see if there are any new notifications on Google+.

Notifier extensions make sure that users stay informed even if they close the Google+ browser window. Up until now Chrome users could make use of third party notifiers which, will working perfectly, were not official which may have kept some users from installing and using those extensions.

Google yesterday released the official Google+ notification extension for the Google Chrome browser.
Google+ Notifications works in principle just like any other notification extension. A new message count is displayed as an icon in the Chrome address bar upon installation. The count goes up for new unread messages and down once those messages get read by the user.

The button of the notification extension turns red whenever updates are waiting for the user. A click on the button displays all recent messages and updates on Google+. This feature is a copy of the Google Toolbar button that offers the exact same functionality.

Notifications include updates on who added you on Google+ and who added a comment or +1 to one of your posts or a post you commented on.

A click on an update leads directly to the Google+ website where it can be read in full. The notifications window also links directly to the Google+ user profile and offers to load the “all notifications” page on the website as well.

Heavy Google+ users on Chrome may find the new official Google+ Notifications extension by Google quite handy. Users can install the extension directly on the Google Chrome Web Store page. (via)

Duqu exploits previously unknown vulnerability in Windows kernel

2011-11-03T15:16:00.000+03:30

The H-Online Security: Microsoft has confirmed a report from Budapest-based Laboratory of Cryptography and System Security (CrySyS), which claimed that the Duqu bot spreads by exploiting a zero day vulnerability in the Windows kernel. How it spreads had previously been unknown. CrySyS discovered the Windows vulnerability whilst analysing the installer. The bot, which anti-virus software firm Symantec believes is related to Stuxnet, infects target systems using a specially crafted Word file which injects the malware into the system using a kernel exploit. Microsoft is already working on a patch.

Symantec says that in at least one case, attackers have already taught Duqu to spread via network shares. This allowed the bot to spread through the company network and even infect systems with no direct internet access. The latter were then supplied with instructions from the command and control server by bots which did have internet access.

Until now, Duqu has reportedly only been used for targeted attacks. The installer examined by Symantec was set to be active during an eight-day window in August, only. Symantec has already identified possible infections at six companies operating in France, The Netherlands, Switzerland, the Ukraine, India, Iran, Sudan and Vietnam. Other security companies claim to have discovered infections in the UK, Austria and Indonesia. To date, Duqu has not been identified at German companies. The German Federal Office for Information Security (BSI) has specifically asked businesses to inform it of any cases of infection.

One area in which Duqu has been deployed is to carry out espionage against manufacturers of industrial control systems. This suggests that the attackers may be using the stolen information to plan new attacks on industrial control systems, such as those used in power plants. Stuxnet was initially deployed to sabotage Iran's nuclear programme. Stuxnet also exploited previously unknown vulnerabilities in Windows.

In the meantime, security specialists from Dell's SecureWorks Counter Threat Unit (CTU) have expressed doubt as to whether Duqu is really related to Stuxnet. They report that although both pieces of malware utilise broadly similar rootkit techniques, such as a kernel driver which first decrypts an encrypted DLL and then injects it into other processes, these techniques are now standard practice and are used by many pieces of malware unrelated to Stuxnet. Duqu's payload, according to Dell, bears no relation to Stuxnet's and does not suggest a relationship between the two.

Facebook Scam: Girl killed herself on Halloween

2011-11-03T15:08:00.002+03:30

SophosLabs: Scammers have put a new spin on an old Facebook scam, claiming that a girl killed herself on Halloween after her father posted a message on her wall.

Facebook users are sharing messages with their friends, claiming to link to the salacious content.

Girl-Killed-Herself-on-Halloween-After-Dad-Posted-This-on-Her-Wall
[LINK]
This is unbelievable.. shocking..

The messages are currently spreading very quickly on Facebook, as - at the moment at least - Facebook's built-in security systems are not blocking them.

We've seen similar scams in the past, of course, including some which claimed that the girl killed herself on Christmas Eve rather than at Halloween.

Of course, the story is purely designed to lure you into clicking on the link. So what do you see if you do click on the link?

You are taken to a third-party webpage where you are told that in order to view the shocking message left by the father on his late daughter's Facebook wall, you will have to "Share" and "Recommend" the link with your friends.

Woah!! Would you really share and recommend a link before you've actually found out what the content is?

Sadly, lots of Facebook users are so curious that they will do exactly that - helping the message spread for scammers.

And why do the scammers want the message to spread?

Because it drives traffic to online surveys like this, which earn the scammers affiliate commission:

If you were fooled into participating in this scam remove the message from your newsfeed, and delete any messages you may have inadvertently shared with your friends. That way at least you are no longer spreading it with your online chums.

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Omid's Blog page on Facebook, where people regularly share information on threats and discuss the latest security news.

MyBB downloads were infected

2011-10-25T20:33:00.000+03:30

The H-Security: In a blog posting, the MyBB development team has confirmed that the download package for version 1.6.4 of MyBB had been modified to include malicious code. Unknown attackers were able to exploit a vulnerability in the MyBB web site's CMS (content management system) to inject and execute PHP code.

The attackers placed a contaminated version of MyBB, containing a backdoor, on the server. It is unclear exactly when the hack took place, meaning that all downloads of 1.6.4 prior to 6 October could be affected. Users with MyBB systems are advised to check their installations and apply a patch. For rapid disinfection, the developers are advising users to replace the /index.php file with a clean version and to delete the /install/ directory.

The MyBB development team is currently mulling over what conclusions can be drawn from the successful attack. One countermeasure they intend to take is to publish checksums to enable users to check that their downloads are genuine; however, this would not be particularly effective if the attackers have control of the server on which the checksums are store. A better solution would be digital signatures, since these cannot be faked without the secret key – though the problem with digital signatures is that, unless the update system does so automatically, almost no-one ever checks them.

Hoax: The Pink Profile Pic Facebook virus hoax

2011-10-25T19:57:00.001+03:30

SophosLabs: Have you noticed the profile pics of some of your Facebook friends have acquired a pink tinge?

Rumours have hit the social networking site that the Facebook app that turns your profile picture pink carries "keylogger malware" that can spy on your keypresses, and steal your passwords - not just from Facebook, but from online banks you may log into as well.

One warning reads as follows:

ABC News 24 just released a statement about a virus on facebook app that adds a pink tinge to your profile picture to `raise money for cancer`.
Be aware this fake third-party app installs a virus on the machine you used to access the app. Apparently its a keylogger malware that searches for bank details and passwords etc. Facebook allows keylogger in its apps to aid predictive search algorithms, and therefore the virus hasnt been picked up.
Keep a look out for any of your friends who may have fallen victim to this app. Apparently, they should be easily identifiable with a pink tinge to their profile picture.

However, the warning is balderdash. ABC News has released no such warning, the app is not malicious and we have seen no evidence that it contains a keylogger. The truth is that your Facebook friends are doing something positive - helping raise money and awareness for the fight against breast cancer.

Australian bank CUA raises funds every October for Breast Cancer Awareness Month, and this year decided to share an app that would change users' profile pictures pink to show that they were supporting the campaign.

Remember to always get your computer security advice from a computer security company. Friends may be well-intentioned in passing on warnings, but it's always good to check your facts before forwarding them any further.

If you want to learn about the real threats on Facebook you should join the Omid's Blog facebook page, where I'll keep you up-to-date on the latest rogue applications, scams and malware attacks threatening social network users.

The continuation of dangerous rogue ads on Bing (and Yahoo)

2011-10-23T21:19:00.001+03:30

GFI Labs Blog: We've noted this before, but Microsoft needs to get a handle on ad placements on Bing. Ok, so Bing isn't the most widely used search engine, but remember that Yahoo plays a part here as well.

In this case, we're talking Sirefef (ZeroAccess aka Max++), probably the nastiest piece of malware circulating on the 'net right now. Sirefef kills any attempt to remove it, and is nearly impossible to clean (short of booting onto a rescue disk and performing cleanup actions, or reformatting).

So just search for "adobe flash", and you might see this ad:

(That same search term will look identical on Yahoo, since Yahoo displays Bing ads and search results.)

Which leads to an innocent-looking "download flash" page:

Note that the page isn't actually "GetAdobeFlash.com". Instead, it redirects to a directory on a compromised trucking site (arulbrothers.com), downloading a file from torreandaluz (dot) com/flash/Flash Player 10 Setup.exe

So let's download that Flash Player and run it through VirusTotal, and no surprise: It's Sirefef.

Duqu, Son of Stuxnet?

2011-10-21T01:23:00.000+03:30

Schneier on Security: A newly discovered piece of malware, Duqu, seems to be a precursor to the next Stuxnet-like worm and uses some of the same techniques as the original. Link to Source

Symantec: W32.Duqu: The Precursor to the Next Stuxnet
Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility. Read Full Article

F-Secure: Duqu – Stuxnet 2:
A new backdoor created by someone who had access to the source code of Stuxnet has been found.
Stuxnet source code is not out in-the-wild (only the binaries). Only the original authors have the source code. So, this new backdoorwas created by the same party that created Stuxnet. Read Full Article

Norman: W32/Duqu – Stuxnet lite?
Oct 18th, our competitor Symantec published an extensive report on a malware called Duqu, which appears to bear some resemblance to last year’s Stuxnet worm. This time the malware does not seem to be aimed at sabotage, but is instead made for intelligence gathering. Read Full Article

Wired: Son of Stuxnet Found in the Wild on Systems in Europe

Duqu, like Stuxnet, masks itself as legitimate code using a driver file signed with a valid digital certificate. The certificate belongs to a company headquartered in Taipei, Taiwan, which Symantec has declined to identify. F-Secure, a security firm based in Finland, has identified the Taipei company as C-Media Electronics Incorporation. The certificate was set to expire on August 2, 2012, but authorities revoked it on Oct. 14, shortly after Symantec began examining the malware. Read Full Article

Update, Oct 24, Added Avira Article too:
Avira: Stuxnet v2 or TR/Duqu
The Stuxnet virus has gone to the next generation: “TR/Duqu”.
Avira already detects the new malware since VDF 7.11.16.63, which was released on 2011-10-19. Read Full Article

Twitter Malware Attack: Photos of Dead Gaddafi

2011-10-20T23:38:00.001+03:30

Mashable: As reports of former Libyan leader Muammar Gaddafi’s death circulate on the Internet, so is a gruesome cellphone photo of what appears to be his severely wounded body and another that appears to be his dead body. Both are likely opportunities for spammers with bad intentions.

The first photo was distributed by the news agency AFP after commanders for Libya’s transitional military, the National Transitional Council (NTC), said they had captured Gaddafi after invading his hometown of Sirte. On Thursday, an NTC spokesperson told the New York Times Gaddafi had been killed, but the U.S. State Department had still not confirmed his death as of 10:00 a.m. ET.

Celebrations in Libya and a flood of Twitter updates are treating the announcement of Gaddafi’s death as authentic — including a slew of sharing of the photos allegedly showing his capture.

In the past, photos like this — including alleged photos of Osama Bin Laden’s body — have been easy vehicles for malicious links. One reason is search engines decide which links are legitimate partly by looking at user behavior. When news like Gaddafi’s death breaks, however, there is no history for them to rely on and malicious links mascarading as news can more easily rank high in search results. Another reason is that people often seek such images from unfamiliar sources. Websites or Twitter messages promise to link to a breaking topic and then lead instead to another site or virus. The Gaddafi photo is a prime candidate for this type of malicious links, so it’s wise to use caution when clicking.

Because of the photo’s violent nature, we have decided not to post it in this article. There is another photo that has been shown on news network Al Jazeera (Warning: this links to graphic content) of Gaddafi’s body that could be susceptible to similar scams.

So are the photos fake? An NTC official told Reuters that the apparently dead man in the Al Jazeera photo is Gaddafi. But as CNN notes, “Much caution should be used with these reports because false information has come out previously.”